Senior Director - GRC Engineer

The Senior Director, Governance Risk and Compliance (GRC) Engineer is a senior leader within the Digital Legal Office (DLO) GRC & Service Management organization. The role translates the DLO’s privacy, AI, and data governance frameworks into effective, auditable, and increasingly automated control designs. The GRC Engineer bridges the gap between what regulatory and policy obligations require, and how those obligations are implemented as operational controls by business control owners across the enterprise. The GRC Engineer leads the engineering team that ensures controls are well-designed, produce the evidence required for KRI/KPI measurement, and can be sustained and automated over time. They also have responsibility for the control maturity roadmap; synthesizing GRC Analyst outputs, KRI/KPI performance data, and assessment findings, into a strategic plan that prioritizes where and how controls need to mature. The GRC Engineer is the primary technical enablement partner for the DLO Embedded Team, equipping them to guide business control owners through implementation. This influence model requires a senior individual who can credibly engage at the right level across the enterprise, driving adoption of control designs with stakeholders who have contending priorities and significant organizational authority. This role also serves as the DLO’s peer-level liaison to Cyber Engineering and Security Architecture teams, ensuring that DLO-owned control designs are technically coherent with the broader enterprise security architecture, and that shared control boundaries are clearly defined. Key Responsibilities 1. Control Design & Architecture Own end-to-end design of DLO-owned privacy, AI, and data governance controls—translating regulatory obligations, policy requirements, and risk appetite into auditable, repeatable control architectures. Define and retain control design specifications for each control in the DLO GRC Framework, including test procedures, evidence requirements, data flows, and automation targets. Apply privacy-by-design and AI-by-design principles throughout the control engineering lifecycle, from inception through deployment and ongoing sustainment. Lead technical analysis to identify control gaps, design deficiencies, and automation opportunities; propose and drive remediation with appropriate urgency. Develop and publish design documentation, technical specifications, and implementation guides that create consistency in how controls are built and validated. Design control evidence outputs that directly feed KRI/KPI measurement—ensuring that what gets measured is a function of control design, not manual data collection. 2. Control Maturity Roadmap & Strategic Direction Be responsible for the DLO control maturity roadmap—a multi-year strategic plan defining how DLO-owned controls will evolve in response to regulatory change, technology advancement, and enterprise risk posture shifts. Synthesize inputs from GRC Analysts (risk assessments, control effectiveness ratings, gap analyses) and KRI/KPI performance data to identify where controls are underperforming, immature, or misaligned to risk appetite—and translate those findings into prioritized maturity initiatives. Define maturity targets for each control domain (privacy, AI, data governance), establishing clear progression criteria from initial/ad-hoc through optimized/automated states. Lead strategic planning processes that translate the roadmap into prioritized, funded, and governed initiatives with clear milestones, owners, and success metrics. Anticipate regulatory and technology trends (e.g., EU AI Act enforcement, evolving NIST frameworks, agentic AI) and proactively incorporate their implications into control design direction and maturity targets. Partner with GRC Analysts and Service Management to align the control maturity roadmap with the risk assessment calendar and service delivery capacity. Engage DLO leadership and senior stakeholders regularly to communicate roadmap progress, emerging risks, and recommended strategic investments in control maturity. 3. Embedded Team & Business Control Owner Enablement Serve as the senior technical enablement partner for the DLO Embedded Team, providing control design blueprints, reference architectures, and technical guidance that equip them to work effectively with business control owners. Develop reusable control design frameworks, templates, and implementation patterns that business teams can adapt to their specific processes and technology environments. Directly engage business control owners on complex or contested control designs—providing the technical authority and credibility required to resolve design disagreements, negotiate evidence requirements, and drive adoption of control standards. Provide support and direction on how to translate assessment findings, incidents, and issues into actionable control improvements. Triage and advise on sophisticated, ambiguous control scenarios where regulatory guidance, technical constraints, and business priorities must be carefully balanced. Build engagement models that create a consistent control design culture across the enterprise—proactively sharing protocols, lessons learned, and design patterns. 4. Cyber Engineering & Architecture Partnership Serve as the DLO’s peer-level liaison to the CISO organization’s Engineering and Security Architecture teams for matters of control design, technical integration, and shared control boundaries. Ensure DLO-owned controls are technically coherent with enterprise security architecture—particularly where privacy, AI, and cybersecurity controls share infrastructure, tooling, or evidence sources. Partner on control design reviews where DLO and Cyber controls intersect (e.g., data protection controls that serve both privacy and security objectives). Evaluate and recommend privacy-enhancing technologies (PETs), AI governance tools, and GRC platform capabilities in coordination with Cyber Architecture’s technology roadmap. Coordinate with the AI Strategy & Digital Risk role to present a coherent DLO interface to the CISO organization. 5. GRC Platform & Automation Enablement Partner with Service Management to design control configurations within the GRC platform (ServiceNow IRM), ensuring that what is designed can be operationalized, monitored, and reported against. Provide engineering leadership for the automation and AI-enablement of control operations across DLO owned and non-DLO owned controls—identifying where intelligent workflows, AI agents, and tooling can reduce manual effort and improve control reliability. Ensure that changes to the regulatory environment or technology landscape trigger appropriate design reviews and service updates, maintaining a living control ecosystem. Contribute to the DLO service catalog by ensuring controls are represented as managed services with defined inputs, outputs, SLAs, and continuous improvement mechanisms. Basic Qualifications Bachelor’s degree in Computer Science, Information Systems, Engineering, Cybersecurity, or a related technical field. 10+ years of progressive experience in GRC, risk engineering, privacy engineering, or security architecture 5+ years of experience focused on control design, implementation, or assurance at an enterprise scale. Qualified applicants must be authorized to work in the United States on a full-time basis. Lilly will not provide support for or sponsor work authorization or visas for this role, including but not limited to F-1 CPT, F-1 OPT, F-1 STEM OPT, J-1, H-1B, TN, O-1, E-3, H-1B1, or L-1. Preferred Qualifications Demonstrated ability to translate regulatory and policy requirements into technical control specifications and implementation guidance. Experience influencing senior team members on control design decisions in a matrixed, federated operating model. Experience with GRC platforms (ServiceNow IRM preferred) including control configuration, evidence management, and reporting design. Deep solid understanding of privacy and AI regulatory frameworks (GDPR, NIST Privacy Framework, NIST AI RMF, EU AI Act, U.S. state privacy laws). Experience developing and owning control maturity roadmaps, including defining maturity models, setting progression targets, and aligning investment to risk posture. Experience operating within a federated risk model, enabling business control owners rather than implementing controls directly. Strong verbal and written communication skills, with demonstrated ability to convey technical control design concepts to non-technical senior leaders. Experience in regulated industries—pharmaceutical, healthcare, or life sciences strongly preferred. Professional certification in privacy, risk, or security (e.g., CIPP/E, CIPT, CRISC, CISSP, CDPSE). Experience with privacy-enhancing technologies (PETs), AI governance tooling, or data classification technologies. Familiarity with ISO 27001/27701, SOC 2 controls, or equivalent control frameworks. Experience scaling control capabilities across a large, matrixed enterprise with multiple lines of defense. Hands‑on experience with control automation, including workflow orchestration, API‑based evidence collection, or AI‑assisted monitoring. Prior exposure to 2nd/3rd line of defense coordination (Internal Audit, Enterprise Risk, Quality). Track record of partnering with cybersecurity engineering and architecture functions on shared control design. Lilly is dedicated to helping individuals with disabilities to actively engage in the workforce, ensuring equal opportunities when vying for positions. If you require accommodation to submit a resume for a position at Lilly, please complete the accommodation request form ( ) for further assistance. Please note this is for individuals to request an accommodation as part of the application process and any other correspondence will not receive a response. Lilly is proud to be an EEO Employer and does not discriminate on the basis of age, race, color, religion, gender identity, sex, gender expression, sexual orientation, genetic information, ancestry, national origin, protected veteran status, disability, or any other legally protected status. Actual compensation will depend on a candidate’s education, experience, skills, and geographic location. The anticipated wage for this position is $154,500 - $226,600 Full‑time equivalent employees also will be eligible for a company bonus (depending, in part, on company and individual performance). In addition, Lilly offers a comprehensive benefit program to eligible employees, including eligibility to participate in a company-sponsored 401(k); pension; vacation benefits; eligibility for medical, dental, vision and prescription drug benefits; flexible benefits (e.g., healthcare and/or dependent day care flexible spending accounts); life insurance and death benefits; certain time off and leave of absence benefits; and well‑being benefits (e.g., employee assistance program, fitness benefits, and employee clubs and activities). Lilly reserves the right to amend, modify, or terminate its compensation and benefit programs in its sole discretion and Lilly’s compensation practices and guidelines will apply regarding the details of any promotion or transfer of Lilly employees. #J-18808-Ljbffr Eli Lilly and Company